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added to DATA SET records. 
INDEX RANDOM. and INDEX SEQUENTIAL entries — 
replaced with INDEXES. - 
Added TABLE CHANGE RECORDS. 


~A-4G - A-6 Added BLOCK. CONTROL FIELDS. el 
| 7 PREVIOUS AUDIT SERIAL NUMBER moved to first 
entry for LIST records. 
Deleted NEXT AVAILABLE (BIT(32))_ from @ace. 
Added LIST HEAD heading. 
PREVIOUS AUDIT SERIAL NUMBER moved to first | 
entry for LIST HEAD and RECORD ALLOCATION 
records, 
Pix" Added G6 2@ to RECORD ALLOCATION. 
2/1/79 [XN f°" = PO aed Deleted sentence concerning high- Lien bit 
| | | | | of. the second digit. 


A-2 - AwG BLOCK LOGICAL ADDRESS BIT (24) added to Data | 
| _ Sets and Lists _ : 
DATA RECORD LOGICAL ADDRESS BIT (32) seasees | 
to DATA RECORD NUMBER BIT(8) | 
TABLE ENTRY LOGICAL ADDRESS BIT(36) changed 
to TABLE ENTRY NUMBER BIT. (12) | 
LIST TABLE LOGICAL ADDRESS BIT (32) canes 
to LIST TABLE NUMBER BIT(8) — :~ 
| | _ LIST Records renumbered © | "s 
A-4 - A-6 a BLOCK LOGICAL ADDRESS BIT (24) added to beet, 
=: Head and Record Allocation 
Record format changed for List Head entries 
and Index Splits and Combines | 
Deleted @74@ and @75@ from Index splits and 
Combines | 
LIST HEAD records renumbered. 
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INIROLUCTION 

This document describes the audit and recovery procedures. that 

are available in the Mark 8.9 and tater release of OWSII. It 15s 

a generat description of these features and a discussion of how 

they are implemented. The syntax for specifying Audit and 


Recovery is described in the DASDL product specification (P.S. 


2219 9433) and an example of. AUDI T/RECOVERY ee eeet Tons 1s 


given tn Appenaix Bb of this document. 


OMSII aaa and recovery procedures enable users to safeguard and. 


to reconstruct the integrity of their data bases by automatically 
providing a history of all changes to the data tase and by 
allowing a range of recovery procedures. Rs 


RELATED DOCUMENTATION 


NAME NUMBER 
-DASDL a | — PaSe 2219 0433 
DMS Reorganization | | —P.Se 2219 9540 


Software Operational Guide _ 1568731 


‘aaeiniieale OF IERMS 


This section contains definitions of the basic terms upon mhich 


the following ciscussion 1s based. 


WORDS _ | MEANING 


AUDIT Audit is a process of recording within a series 
| of files (the audit trait) a complete history of 
all the changes made to a data base.w. Each data 


base has its own audit trail that cannot be 
‘Shared with any other data base. : 


TRANSACTION A sequence of. data management operations 

| 7  - fequired to process one user request. 
Operations which change the data base can only 

be done during a transaction. | _ = 
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PROGKAM 


ABURT RECOVERY 


CLEAK/START 
RECOVERY 


SYNCPOINT 


CONTROLPOINT 


RESTART 


DUMP RECOVERY 


PARTIAL 


CUMP RECOVERY 


RECOVERY 


The process of restoring the integrity of a ‘data 
base when a program is terminated in the middle 
of a transactions but the data management system > 
continues to rune | 2 


The process of restoring the integrity ae a data 
base which was open and teing updated when a 
Systea failure occurred. “es : 


A .OMS-controlled time when no programs are 


updating a data base. No programs are in a 
transaction. : | | | | = 


A SYNCPOINT that also writes to. disk any data 
base blocks or data base control information 
that has been updated and that has been in 
memory since prior to the PEASE STILE EENT 


A process by which the Data Wopsoewen: System 


provides information to an application. program 


about the tast transaction that was completed 
before a failure which required recovery. The 


programs that are restarted by the operator 


after a CLEAR/START can use this information to 


commence processing transactions that were not 
completed. -_ a | a : 


The process of using the “after” images in the 
audit trail anda backup copy of the data base. 
to rebuila the data base when it is found to be 


unusable because of storage failures. 


The process of recovering a Sunset of the fie: 
in a data base from a previous dump (Dump 


Reeevery of a eURSe., of the data base). 


The process of restoring the integrity of a data 
base that may have been corrupted or lost) 
through a hardware or software failure. | 
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FILE OUMP A backup copy , part or all of the data base. 


created while the data base is not being used. | 
The information necessary for DUMP recovery to. 
enter the audit trail witl te automaticatly 
saved in the <data-base- name>/DICTIONARY which 
should be included with each dump. 
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AUDIT 


The audit trail is a sequence of "before" and “after” images 
resulting from changes written to the data tase» plus various 
control records. Pure retrieval requests are not audited. The 
audit trail is used to recover the data base after a Clear/Start>» 
to provide restart information to object programs» to reconstruct 
the data base when oportions of the data hase are tost due to 
hardware errors» and to back out transactions for  atortea 
programs. | | | E | ? 


TRANSACTIONS 


Restart after recovery is accomplished efficiently -y requiring 
some aid from the application programs. To minimize the coding 
required in the applicaticn programs» transaction processing 15 
the basis for recovery and restart. — | 


A transaction is any sequence of data management operations 
starting with BEGIN=TRANSACTION and ending with END“TRANSACTION 
Cor END*TRANSACTION with SYNC). A sample program using 
transactions is included in Appendix C. | | ‘ - 


When BEGIN=TRANSACTION is executed, the program enters 
transaction state. When END=TRANSACTION Cor END“TRANSACTION with 

SYNC) is executed» the program leaves transaction state. Also» 

all records Locked by the program are unlocked at the completion 
of END~TRANSACTION. (The only exception is that the current 
restart-data-set record 1s not untocked.) These transactions may 
not be nested. That iss EEGIN“TRANSACTION returns an AUDITERROF - 
exceotion if the program was already in transaction state. Any 


error on BEGIN“TRANSACTICN other than AUDITERROR will leave the 


orogram not in transaction state. Any END@“TRANSACTICN (Cor 
END“TRANSACTION with SYNC) returns an AUDITERRGR exception if the 
orogram was not in transaction state. Any exception other than 
AUDITERROR will leave the program in transaction state. 


END=TRANSACTION with SYNC forces a SYNCPOINT to occur after the 


transaction is completed but prior to returning control to the 


user program. . This form Should be used very sparingly to avoid a_ 
Significant decrease in system throughput. On data bases which 


have the audit option set in their DASDL» the only operations _ 


which are legal when not in. transaction state are OPEN» FIND» 
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MODIFY, FREES CLOSE» CREATE» RECREATE and BEGIN“TRANSACTIONe Any~ 
other operation witlt return an AUDITERROR exception. If AUDIT is 
specified in BEGIN-TRANSACTION or END=TRANSACTION> the restart 
record (within the user program) is saved for possible restart. 
CA STGRE on the restart data set is performed). If NO-AUDIT is 
specified» the restart record area is not saved. AUDIT is true. 


by default for BEGIN“TRANSACTIONS NO“AUDIT is the default for 
END~ TRANSACTION. | : 


Prior to any BEGIN or END“TRANSACTION with AUDIT» a CREATE or. 
RECREATE of the restart-data-set gust be executed if there as no 
locked current record for the restart- data-~ set. If this is not 
done» a NOTLOCKED exception will occur. — _ | . 


AUDIT should never be set on both BEGIN-TRANSACTION and 


END“TRANSACTION. = GUnty the last audited restart record is 
available at restart times thus the BEGIN-TRANSACTICN will never | 
be returned to the user. If restart information is updated 
during a transactions then AUDIT should be set on 
END TRANSACTION. Otherwise AUDIT on either but not both. = any 
transaction which does not set AUDIT on either is not 


restartable. 
RESTARIADATA-SETS 


At restart time the data base wiltt be recovered by the — 
RECOVER/DATA.} BASE program. It is the user's responsibility to 
restart the user program and to restore the necessary state for 
that program. The restart record is provided as a storage area 
for some of the state informations but it does not do such things 
as re- Beste TON non-data base input and outout files» etc. 


For each data base. that has the audit option specifieds a 
restart-data-set is required. This data set follows the rules of 


normal §disjoint data sets» with a few additions. The © 
restart-data~set may not contain any embedded data sets or. 
subsets. The restart-data-set must be invoked by any COBOL 
program which contains a BEGIN- or END-TRANSACTION. ~— The 


restart-data-set record is used for program=dependent. restart. 
The purpose of the restart record area is to hold the minimal 
amount of information that: a program needs to restart after a 
Clear/Start or when transactions are aborted. Please note that 


the same size restart-data-set record is used for atl programs — 


that run against a data base. The stze of the restart data. set 


Must be  tlarge enough to restart the program aon PeqUaees the 
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most information to restart. 


It is intended that the user supply an item Cor items) uniquely 
identifying the restart areas for each different application 
program. tTypicatly- the procram-id is used as the key to access . 
the restart data set. There often will be a large alpha item 

which holds the actual restart information. Moving this item to 
a COBCL work area will allow each different program to access 
this information in the most convenient format. Alt COBOL verbs 
may be used to access the current restart record. | | 


SYNCPOINIS 


Transactions for different users may overlap. To allow maximum 
throughput (minimum record contention)» changed records neea not 
be Locked until the end of the transaction updating them. Thus» 
in general» it is not possible to back out a partial transaction 
Without backing out atl overlapping transactions Ccompleted or 
not). In order to limit the amount of backing out required at. 
recovery time» the SYNCPOINT was introduced. SYNCPOINT is a> 
point when no programs are in transaction state. | | 


Transactions are intended to be of roughly equal duration. 
Otherwises a disproportionately lonz delay may be imposed upon 
programs executing short transactions at syncpoint time. This 


delay results aCoF having to wait for the tonger transactions to 
complete. 7 


Ghvious sources of tong waits (such as "NO FILE“ conditions) 
Should be avoided when in transaction state. A single program 
hung while in transaction state means thater eventually» no 
transactions against the data base will be able to proceeds 
because a SYNCPOINT must occur. | . 


The user may specify the frequency of Syncooints in terms of 


transactions. At each END*TRANSACTICON» the system checks to see - 


if at is time for a syncpoint. If it is times» then the system. 
waits for all in-process transactions to completes places a 
syncpoint in the current audit records and initiates the I/0 = on 


the audit record. Any jobs attempting to execute a 


BEGIN-TRANSACTION during this period are suspended.» When the I/0. 
completes» the syncpoint 1s complete» and all suspended jobs are 
reinstated. | _ - * 3 


The user may force a syncpoint at any time by initiating an | 
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ENO-TRANSACTION with SYNC. SYNCPOINT must complete before 


controt is returned to the user program when this forma of 
END“ TRANSACTION 15 used. | | ae 


Close wilt always force a SYNCPOINT prior to returning to the 
user program. This eliminates the possibility of having to. 
backout a close due to a program abort or Clear/Start. Me 


CONTROL POINTS 


In order to minimize physical I/05 chances to database buffers 
are accumulated tn memory. Updated huffers are written to disk. 
only when the memory space they occupy is required for another 
ourpose. Thus» without a special mechanism to force writes on. 
ali buffers» Clear/Start recovery would have to go back to the 
data~base open to insure that all changes are reflected in the 
data base. oa | 


CONTROLPOINTS are the special mechanism to timit the amount of 
time needed for Clear/Start recovery. The user may specify the 
frequency of CONTROLPCINTS in terms of SYNCPOINTS-  £When a 
syncpoint completes» the system checks to see if this is also a 
controlpoint. If it is then special code is executed to insure 
that modified buffers and control information are written to disk 
at least every two control points. When all I/Os have completed, 
then a control point is marked in the audit buffers and then 
nortal processing resumes. : : | : | 


When a buffer is updated» it is marked to show that. When the 
next CONTROLPCINT occurss if the buffer is still in memory» it 15 
marked to show that. When the second CONTROLPOINT occurss if the 

buffer is still in memory» then it will be forced out to disk 
before the CONTROLPOINT will finish. Thuss Clear/Start recovery _ 
need not go back further than two CONTROLPOINTS from the end of. 

the audit trail. If CONTROLPOINTS do not occur frequently» then 
Tt is likely that only frequently used records (such as coarse 
tables) wilt need to be flushed at CONTROLPOINT time. 
(CInfrequently used records will tend to be overtaid during normal 

processing against .the data base.) Updated available soace 
information (NAHO's) are flushed every other CONTROLPCINT also. 
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SUDIIZSERIAL=NUMBE 


The audit-serial-number ent ores a number . of functions in toth . 
auditing and recovery. Each time any block of data is changed 
because of a data tase operations the change is assigned a unique 
audit-serial-number. The initial sertal number is a function of 
DASDL compilation. This is used to perform a version check on 
the first audit trail file. The audit~seriat-number is 
incremented by one for each change to the data base and untquely > 
identifies an audtt record. 7 _ 


Une of the primary rules on an audited data base is that no 
updated data base blocks may be written to disk untess its 
changes have been written to the audit trail. This guarantees 
that any change can be backed out i f necessary. | The 
auditeserial-number is used to insure that this rule is met. The 
system keeps track of the highest audit serial numbers in the 


audit trail. Each block in memory has associated with it an 
audit serial number reflecting the last update that was done. to 
that block. Any data tkase block with an audit serial number 


which is higher than that on the audit trail may not be written 
to disk. | | | | 


All tables in the data base Cindex sequential» index random and 

lists) contain a space at the end of their block which contains 
an audit serial number. This audit serial number corresponds to 
the Last change that was made to this tabte. The audit record 
which describes the change to the block also has associated with 
It a serial number. By comparing these sertat numbers» the 
recovery program can telt if the change described by a given 
audit record has been dones and take the appropriate action. 
This prevents oerforming the same operation twice or not 
performing it at all. Blocks which contain data set records do 
not contain serial numbers because chanjes to a data set record 
do not affect other records; and therefore», a change may be 
applied more than once with no effect on the data base. | 


Each audit record concerning tables also explicitly carries with 


it another audit serial number. This serial number is the audit 
serial of the block before the change described by this audit 
record was made. This serial is needed for Clear/Start recovery 


when it is not known what blocks have been updated on disk. 
Program~mabort recovery also uses this serial number when backing 
out operations» although it does know that att blocks have been 
updated on disk. 
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If the recovery program finds a match between the serial nusbers | 
on a block and the audit records it is sure the change described 
by the audit has been donew When it backs this change outes. rt 


replaces the serial number on the block with the previous serial 


number. The next time the block is updated the recovery pragram. 
can again check for the equal condition. After the recovery 
program has backed out the changes back to the tast SYNCPOINT 
before the Clear/Start» alt seriat numbers that it will see will 
then be in a known range. This allows for effective consistency 
checking which is important in the environment after a 
Clear/s5tart. This same type of CONS NSLENCY checking 1s done for. 
alt types of recovery. | 


AUDIT EILES 
The audit trail consists of a sequence of audit files which are 
named: | |. | | 


<data~base~name>/AUDILT<audit-fite-number > 


[he aucit file number starts at one and increases by one every 
time a new audit file is opened. When it reaches 99999 it 
"wraps around" to zero and starts again. as 3 a 


The audit trail should not reside on the system disk but on a 


user pack or tape» since it will be lost if the system disk fails 


and a Cold/Start is required. It also should not reside on the 
Same pack as any of the data base files. If that pack is 
damaged» then both the data base files and. the audit files used 
to protect them will be lost. | 


Audit files with no data in them may be generated. This may 
occur when an irrecoverable I/U0 error 1s encountered during the | 


write of the first block to an audit file or if a Clear/Start 


happens prior to the first block being written. These files are 


not removed since the recovery program a eu ee 
whether it 15 going forward or backward. 


TNE 
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“AUDIT EILE EuURMAT 


The audit file contains fixed-length blocks with variable-length 
records. The Length of a block is set during DASDL compilation 
and each audit block contains a fixed-size trailer. The trailer 


contains two audit serial numbers. An audit serial number is. 


needed for every record in the audit file; howevers | once it 15 
established» it can be calculated from the previous record's 
serial. After the serial has heen established» the serials on 


the blocks become redundant information which is checked for 


consistency. 


The trailer contains a current block audit serial numbers a block 


number and ae full-block bit. The current block audit serial 
number is that of the first record in the block. The block 
number is relative to the teginning of the file (9 is first). If 


the tlock is completely full> the full-block bit is set to 


indicate that status. 


The trailer also contains the next block's audit serial number 


and a pointer to the tast record. The serial is of the first 
record in the next block. It matches the current serial in the 
next block. The pointer is the distance tn bits from the start 


of the block to the end of the last record in this block. If no 
records end in this block» the pointer takes on the vatue of 


aF FFF a. This situation comes up when audit recerds are. long 


relative to the size of the block. 


Several of these fields are used to insure that the end of the 


audit fite is not lost. The end of the audit file can be found 


by reading the audit trail forward and checking that the btock 
number 1s correct»e and also that the current block audit serial | 


number of this block matches the previous block's next block's 
audit serial number. a 4 | | 


If either of these checks faile then the end of file has been 
found. This applies whether auditina to disk or tape. The. 


endof-fite pointer ona disk file is updated on disk every time 


a new area is opened Cit pcints at the tast block in the new 


area) and when the audit file is closed Cit points at the tast 
block used). Thus» in finding the end~of-file on a disk fite>» 
the serial search can start at the end of the next to tast area. 
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The length of audit records is determined by the type of ene 


record and the structure which the record references. The audit 
file must be read. forward and backward and so the record type and 
structure number appear at each end of the audit record. 


Some record types are not associated with any particular 


structure but describe the state of the data base. These only 
have arecord type. They include data hbase open» «= close» 


SYNCPOINT> CONTROLPOINT and PROGRAM ABORT. The rest of the. 


record types are associated with a particular structure and that 
structure numter foltows the record type» independent of the 


direction that the auditfite is being read. (For. further 
information on audit record types and formats» see Appendix A). | 


Some information in the audit file is redundant at certain times | 
during recovery. An example of this is the record type. and 


structure number at the “other™ end of the record. This 


information is checked as orotection against undetected 1/0. 


errors. 


Ko RR EK EK EEA EKER ARK EE 1. Audit record are@ae. 


* * 2. Last record displacement 
* + from start (16 bits) 

* 1 x 3. First Audit Serial tn 
* x this block (32 bits) 

&  *  &, First audit serial in 

ok kak kt ks next block (32 bits) 

* 7 * 2 * 5S. Full block tndtcator- 
KKKKRKEKKKKEKKKKKKKKAAKAKKEKKAKKKKKKKEEK Ci bit ) | | 
x 3 * ho ke 5 * 6 * 6. Block number» first block 
kkkkkkkkkkek kkk kk kk ekki kke ek kK an file = 0 €32 bits) 

AN AUDIT BLOCK 
Kk A KKK KE RR 1. Record type (8 bits). 


kk kkk&kkkekkk 


AN ALDIT RECORD (DATA BASE STATE) 
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RRR KR EEK KKK KEK KKEKKKAEKKEKEKKKKREK AKA KKK KK KKK Kk 
* jf. »* ? ~ | 3 | : te 2 x j * 
REE R AKA EKER ERE EERE EKER RR KERR RA RRR Rk 


AN AUDIT RECORD CSTRUCTURE OPERATION) 
l. Record type. 8 bits). 


2 Structure number (8 bits). 
3- Fields depend on record type and structure number. 


AUDIT EILE USAGE 


Audit files are of variable Length; their size is determined by 
a number of factors. Initially» an audit file is opened at the 
first BEGIN-“TRANSACTION after the data base is opened. The audit _ 
file is closed whenever any one of the following occurs: 


4. The audit file fills up. 


An irrecoverable I/@ error occurs. 


ONG 
s 


36 The data base is» eloeea by alt programs which have ever 
gone through JEGIN"TRANSACTIGN. 


4: A PROGRAM ABORT occurs. 


Although nothing appears on the audit file to indioate:. ite the 
audit file is closed in a sanse by a Clear/Start recovery. — The 
exact way that this its handled is explained later in this 
section. _ | | _ | = | 


In cases one and two» there will be no indication why the audit 

file has been closed. The program will simply reach end of file. 
In fact» an audit record may be split across a file boundary. In 
cases three and fours a record is put into the audit file to. 
indicate what caused the file to close. | eae 


When an audit file is closed by the MCPp some processing is doner 


so that the file may be used later. If the file is a disk filer 


the EGF pointer is adjusted so that it reflects the Last block 


that was written. If the file is a tape file» tapemarks and an 


ending tabetl which contains among other things the block counts — 
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are written on to the end of the file. But when a Clear/Start 
occurs» none of this can ke done. To recover. the data hbase 


immedietely -after the Clear/Start and make future dump Cecoveny 
possible» some processing 1s done after the Clear/Start. 


Any tape files that were opened output get a tape mark written on 
them cefore they are rewound as part of the Clear/Start. The 
recovery program requires thts tape mark be at the end of att 
tape files. If the tape mark is not written for some reason (for 
instance» the tape is dismounted before the Clear/Start) then 
DMPALL or some other. utility must. be run to make a new tape With 
a ea0e mark. | | 


For disk files» the recovery program must fill in the end-of-file 
pointer. As the audit file is being written» the end-of-file 
pointer is always kept at the end of the area being filled up. 
Because of the way disk space is allocated and buffers are output 
from memory to disks» the good audit blocks are known. Tf there. 
is more than one area» recovery is assured for the tast bdtock of 
the next to the last area. That is» when the disk space for a 
new area is obtaineds the tast block in the prior area has been 
successfully written out. $If an auditfile has only one areapr 
then there may not be any good audit blocks in it. When the 
recovery program finds the last good block» it updates the 
end-of-file pointer to the correct value. - Bist” op 


For future recoveries» some way is needed to identify that a. 
Clear/Start recovery has taken place. The way this is done is to 
make the audit serial number one greater than it would normally 
be. This is used for both Oump recovery and Clear/Start. 
recoveries which happen tmmediately after the present one. For 

Dump recoverys, the recovery program opens the next file as it 
comes to the enc of the present ones. That a Clear/Start has 
happened is apparent in the serial-nusber check. The recovery 


program then must reopen the prior audit file and back out to the 


last SYNCPOINT. 


If a Clear/Start happens just after the audit file opens» but 


before the first block gets written out» the recovery program. 
opens the prior files. If this file was closed due to a data base 

close or it had Chear/Start recovery run on it» there is no 
recovery that has to be performed. Since atl changes to the data 
base do not go out of memory until the audit block describing 
them is written out and no audit blocks have gone outs | nothing 
needs to be backed out. However» ifs for instance» the prior. 
file was closed because it was full» then the changes described 
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in this prior audit file ao be backed out. To telt the 
differences the serial number is again used. If the next btock 


serial in the last audit block is the same as that in the 
dictionary» then a good close has taken place. If the next block 
serial is one less than that in the dictionary» then a 
Clear/Start recovery has taken places _ Other values for that. 
serial indicate a Clear/Start recovery is needed. | | 


AUDIT EFFICIENCY 


Two audit buffers are always used when creating an audit file. 

The buffers are used alternately. The switch occurs when ever a 
buffer filts or a syncpoint occurs while auditing to tape. When 
an audit file fills up» any operations in process are allowed to 
complete (but no new ones may start)» filling the augit tuffers 
and» if necessary» overflowing into temporarily allocated 
buffers. The audit file is closed anda new audit file is 
opened» preserving the FI& and audit buffers through close and 
opens If necessary» the current buffers that are full» and any 
overflow buffers» are written out to the new audit file. At the © 
completion of these 1/0s-s the data base operations are allowed to. 

commence. , [Be : | ae | 


Audit efficiency is determined by two critical parameters: — the 
frequency of SYNCPCINTS and the file's blocksize. To keep the 
speed from deteriorating excessively when auditing» the audit 
trail must have a targe effective blocking factor. Too small an 
audit file blocksize wil! prevent this» as will frequent 
SYACPOINTS. (The audit buffers are flushed at SYNCPOINT times 
and the OMS routines are inhibited until the writes complete). 
Un the other hand» if SYNCPOINTS occur infrequently» many 
transactions may be backed out during Clear/Start recovery or 
when aborting a transaction. Alsoe atarge audit file blocksize. 
implies that more memory is required for audit buffers and_ for 
data tuffer space» Since updated buffers may not be overtaid 
(written to disk) until the corresponding audit entries have been 
written to the audit trail. | When auditing tc tape» tif aes 
blocksize is larger than the audit information recorded during» 
SYNCPOINTs» the extra a le does not get used. 


For data sets» record images are auditeds and for 
index-sequential» index random and lists» table entry changes are 
audited. ‘Logicat audit records may te split across one or more 
physical audit blocks. These techniques cause a considerable | 
reduction in the amount of data which might otherwise be written: 
to the audit trail. . : | 
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During an audit» if an 1/0 error occurs while atteapting to write | 
to the audit trail and the normat MCP retries are not successful» 
the current audit file is closed and the next one opened. The 
write is then retried. The data base is locked against update > 
until the audit block is successfully written. If tape is the 
audit media» it should be copied when the tast block of an audit 
tape had awrite parity. The recovery routines need a copy of 
the tape with a tape mark at the end and no faulty are aSe 


gab Saas 
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RECOVERY 


When an event has occurred that compromises the integrity of an 
audited data base» a program is run to make the data base 
trustworthy again. This section describes that program 
CRECOVER/DATA.BASE) and some of the resources it. uses to 
accomplish its job. | | _ | hg 


A data hase may lose its integrity in a number of WaySe Three 
possibilities are: | | gins | | | 


le The toss of the disk that any part of the data base was. 
stored ONne | 


22 A failure of the hardware or software while the data tase is 

being updated such that a Clear/Start is required. An 

unknown amount of changes to the data base may be trapped 1) 
memory in vas Casee : 

3. The failure of a program that was in transaction state (and 


was potentially capable of changing the data base) to 
successfully leave transaction state. Oe age’ A 


These types of failures are handled by the recovery program and 
are referred tor respectively» as: | 25 | 


Le Dump or Partial-dump recovery. 
2.  Clear/Start recovery. 
ae Program-abort recovery. 


Note: The types of failures are ranked in order of their 

— seriousness» i-e@.» the effort and processor time to 
recover from the error. The loss of disk (Possibility 1) 
is the most serious and may include Program= Abort recovery 
as part of a Dump recovery. | 


A software failure may cause either a program or systen. 
failure. if they occur at the same times» a Clear/start 
recovery (the more serious failure) is required. 


Sec 
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RECOVERY INITIATION 


Recovery begins when the RC control message is entered upon the 
console printer or CRT. The RC control message executes 
RECOVER/DATA.BASE >» providing the necessary tabel equation. 
RECOVER/DATA-BASE must reside on system disk at the time RC is. 
used. The syntax of RC is defined as: | | 


SYNTAX 
KC === <data-base-name> -"------------- aa a7 


for- ON == <pack-name> <-->1 
>> ewer Bwon aw namraewnanwanennenanwenwaew eee a a a ace lan 


The RC message zips the execution of the data base recovery 
program and the userssupplied <data-base-name> identifies the 
name of the data base that is to be recovered. The type of 
recovery to be done 15 automaticatly defined by the ‘information 
in the data base SE on the status. of ng data bases 


RC allows an optional <pack-id> for those data bases where the 
dictionary resides on a user disk as welt as ane optional 
file-list to indicate dump recovery of the specified data base 
files only. The <fileridentifier>s are put into a parameter file 
similar to a LOAD-DUMP file. The address of this file is passea 
to the recovery program anc Switch 4 is set to "1" (SW4=1) by the 
MCP to indicate recovery of a partial data base. There is no 


file list required for Clear/Starts abort recovery» or full-dump. 
recovery. . 
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IYPES OF RECOVERY 


The simplest failure from a recovery point of view is 
 Program~abort recovery. The recovery program need only back out 
all the changes. made to the data base from the last SYNCPOINT ors 
if there has not teen a SYNCPCINT since the data base was openeds 
then to the data hase open. 


Clear/Start recovery involves backing out all the changes since 

the last SYNCPCGINT and then going back two CONTROLPOINTS and 
making sure that att changes to the data base that. were done in 
this interval are reflected in the data base. | 


Dump recovery requires that the previous copy eet elie arty ay 
and the audit files written since that copy was taken» e loaded 
to disk. The recovery program applies the audited setae. 1.Co> 
the “after” images» to the previous database. The recovery 
program processes these images in the same way the OMS program 
originally processed then» With the exception that when a. 
Clear/Start is encountered on the auditfile» the recovery program 
onty has to back out changes since the last SYNCPOINT. Any 
changes done before the tast ee Ger have been written to disk 
by the recovery Progr ane 7 : | 


| Partial-dump. recovery allows the user to per fora Dump. recovery on. 
a subset of the files in the data base. A backup copy of only 
those files to be recovered and the old Dictionary are loaded. 


The old  §Dictitonary is loaded under the © name — 
<datavtase-name>/OLD.DICT. The current Dictionary must remain — 
under its proper namee Dump recovery 18s performed on the 


specified files until they are up to the level of the current 
Dictionary. At that time Clear/Start recovery or Proagram-abort 
recovery witt be performed if necessary. 


CLEAR/STARI RECOVERY 


When the first update on the data base occursse a bit (boolean) is 
set cn in the <datatbase-name>/DICTIONARY. This bit is turned 
off when the data base is closed for the last update program. On. 
the first open of the data base» if this bit is on» the data base. 
was not closed properly (e.g-e» there was a Clear/Start without a 

successful data base close). Clear/Start recovery is requested. 
Alt data management jobs will be suspended by cata management 
UPé -N until. recovery is SoCs sree: eo er 
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Recovery occurs tin four phases: 
oie The end of the audit trail is found. 


(2. The audit trail is read backward to the last SYNCPOINT. 
The “before” images are used to back out all changes” 
since the last SYNCPCGINT. Pe 


3- . The second CONTROLPCINT from the end of the audit trail 
| is founds and the audit trail is scanned forward from 
this point. The “after” images are used to insure that 
all transactions before that tast SYNCPOINT are 

- completed. The restart areas for the last comoleted 
transactions are saved in the restart data sete 


| — &e The. audit file is terminated>. ‘the data base | is 
unlocked» and recovery is complete. ey | 


Although Clear/Start recovery is requested automatically by the 
first data base QPEN executed after a Clear/Start» the operator 


may safely run it at any time. If recovery is Mot needed» the 
recovery program wilt ask for a nonexistent augit file. The 


operator should respond that it is mot available and | recovery _ 
woe terminate. | < , | a 


The tocking of records in OMSII is designed to maximize the 

potential for multiprogramming against the data base and hence»s 
total throughput. Thus» changed records need not be held locked 
until the end of the transaction which changed them. A partial 
transaction  cannots — in general>s be backed out without 
invalidating other transactions that were occurring at the same 
time. One transaction may have updated the data dase with data. 


created by the aborted transaction. Thus» an attempt to abort a | 


single transaction may affect. atl programs currently running 
against the data base. For this reason». transactions should be 
abortea only when absolutely necessary» Explicit syntax to 


invoke the abort transaction process is not provided. The abort _ 


transaction function is implicitly invoked when a program 
terminates and forces a close on a data base while in transaction 
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state. Prour as termination jutss de o f eaneseeien state does not 
require recovery» howevers the restart record 1s saved. 


The abort transaction process will force a SYNCPOINT before 
per forming the abort. | As soon as alt. programs are out of 
transaction state» the SYACPOINT occurs and a "pseudo" close is 
performed. Alt updated blocks in memory are written to disk» all 

control information is written to the <data- base- name>/DICTIONARY 


and the audit file is closed. Any programs attempting to access ~ 


the data base will. be hung "WAITING DATA BASE RECOVERY". 
RECOVER/DATA.BASE wilt be executed by the MCP. for Program-abort 
recovery» the "“before™ images in the audit trait will be used to 
back out atl transactions since the last SYNCPOINT. The restart 
areas for the last completed transact ion will be entered In the 
restart data set. _ 


When the recovery is complete> RECOVER/DAT A. BASE issues a special 
communicate to the MCP. This communicate updates the necessary 
information in the <data-base~name>/DICTIONARY. | aa 


I f any other. programs were accessing the data base at the time of 

the Program-abort> then a "pseudo" open is. performed. The 

necessary <data-base-name>/ODICTIONARY CA ioraat ice is updated in 
memory and all the affected programs will be restarted. Affectea 
programs witl be informed that some of. their transactions have 
been backed out by an ABORT exception returned by their. next 
execution of BEGIN-TRANSACTION or CLOSE following the abort. 
when this occurs» the affected programs should retrieve their 
restart record from the restart data set to aid in redoing their | 
backed-out transactions. 


The paths of afl programs currently using the data base are 
marked as undefined at the completion of Program~=abort recovery. 


QUMP RECOVERY 


Dump recovery (Cor RECONSTRUCTION) may ees executed any time the 
data base 1S not active. Prior to executing. the recovery 
program» a good version of the data base should be loaded to the 
system. B8oth the cictionary file and alt of the data files which © 
have teen updated since this version was created should also be 
loaded.» Alt audit files Created after this version must be 
available when. requested. 7 | — | Eoo 
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The recovery paaree will apply all of the "after" images en the 
audit trail to the data base. It will continue until it finishes. 
the last audit file (the operator tells the recovery program that. 
there are no more audit files) or an I/N error is encountered. | 
If an I/0 error is encountered or an audit file is unavailables | 
the: data base will be recovered to that points alt further audit 
files should be destroyed and all processing from that point must 
be re-run. The RESTART Data Set will contain the normal restart 
_ information for programs that were runninec at that point. If any 
of the audit files were terminated with a Clear/Start or a 
Program-abort> the normal Programabort handling is. invoked. 
Upon completion of Program- abort» dump recovery is resumed with 
the next audit file. . | 7 - + 


PARTIAL-DUMP RECOVERY 


If a subset of the files in a data base (excluding the 
dictionary) have been tost or corrupted», the user may request. 
that onty those files be recovered from a previous dump | through 
an RC message which specifies a List of the <file-name>s. | The. 


dictionary | from that dump must be toaded to disk under the name 


<data- base-name>/OLD. DICT. Recovery will use. the old dictionary 
as the source of the file records of the files to be recovered as 
well as the audit FP8 and the audit seriat information Cor any 

other information). Dusp recovery is performed on the specified 
files until they are up to the current dictionary level. At that 


time» Clear/Start or Program abort recovery will be performed on 
the full data base if needed. , 7 


came ee 


RECOVER/DATA-.~BASE aoes extensive integrity checking in an attempt 
to preclude or identify corruption in a data base. A side effect 
is that recovery is not restartable with this checking. When it 
iS necessary to rerun recovery» the RC messace is again entereds 
but with Switch 3 set to one (SW3=1) in order to reduce the 
integrity checking. The data base should stilt be intact» but 
recovery is not Likely. to detect previously existing corruption | 
in this mode. If Program-abort or Partial“dump recovery or. 
Clear/Start. recovery continues to fails. DUMP recovery may be 
successful. A Daeoue copy of the one. base should be loaded and 
Boe omaey started. 
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120 ERROR LURING RECOVERY 


The control information of each audit block contains the audit — 
block number. It increases by one for each audit block written. 

If it ever increases by more than one for two consecutive blocks» 
one or more blocks of the audit may have been lost. The recovery 


routines check for this condition. Any 1/0 errors while 
attemoting to read the audit trail will. cause either incomplete 
or unsuccessful recovery. Incomplete recovery occurs on dump 


recovery» where on detecting an I/0 error on the audit trails the 
recovery program will back out to the tast SYNCPCIANT. | 
-Program-abort recovery» Clear/Start recoverys and. Partial-dunp | 
recovery terminate unsucces fully when they encounter an audit. 
trail I/O error. | —_ , 3 


I/G errors on data hase files always result. in unsuccessful 
recovery. Oo - | | | : | 


Note: Copying the audit tape witl NOT. nee it, there 1s a faulty 
area in the middle cf an otherwise good audit tape. (Att 
information after the faulty area will be Lost). | 
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APPENDIX AZ AUDIT RECORD FORMAT 


Audit records are variable length and variable format. The key 
to the length and format of the record is the type field which is. 
the first item of each record. Each record must be capattle of 
being traversed in both a forward and a tackward direction. For. 
this reason each record which is longer than just a type. field 
will atso end in the type field... There are two coeee types of 
audit records: Control Records and Data Records : 


ices ated 


The Pan ereL records consist only of a type. field. — an eentee ll 


records» the first digit of the type field 1s aBae ‘These records 
are? 


TYPE. MEANING 


a81a SYNCPOINT 

aB2a — CONTROLPOINT 
B32 DATA BASE CLOSE. 
ap4a - DATA S8ASE OPEN 


aB52 = PROGRAM ABORT 


The data records are grouped into etaecess The first digit of 


the type indicates the class. Immediately following the type — 


field is an 86-bit structure number. The records always end with 
the 8-bit structure nuaber followed by the R- PAE, type field. The 
general format is: | 


TYPE = STRUCTURE = DATA (VARIABLE) =: STRUCTURE = TYPE — 


The specific records and their contents are: 
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TYPE g MEANING 


DATA Sete 


a192 == DATA 
RECORD AFTER. 
IMAGE 


alla -- DATA 
RECORD BEFORE 
IMAGE 


“a124a == DATA 
RECORD BEFORE 
AND AFTER | 
IMAGE 


INDEXES? 


-a20a -- 
TABLE ENTRY 


a2lado-- REMOVE 
— ‘TABLE ENTRY 


“azza = INDEX 


SEQUENTIAL 


ROOT 


a23a -- INDEX 
SEQUENTIAL 
KEY CHANGE | 


INSERT 


CONTENTS 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 


DATA RECORO NUMRER 
NEW DATA RECORD 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 


DATA RECORD NUMBER 


ULD DATA RECORD 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADORESS | 


DATA RECURD NUMBER 
OLD DATA RECORD 


NEW DATA RECORD 


PREVIOUS AUDIT SERIAL 


BLOCK LOGICAL ADDRESS | 


TABLE ENTRY NUMBER: 
NEW TABLE ENTRY. 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDPESS- 


TABLE ENTRY NUMBER — 


~OLC TABLE ENTRY 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 


OLD ROOT TABLE LOGICAL ADDRESS 
NEN ROOT TABLE LOGICAL - ADDRESS 


PREVIOUS AUDIT SERTAL 


BLOCK LOGICAL ADDRESS 
TABLE ENTRY NUMBER 
GOLD KEY. | 
NEW KEY 


NUMBER 


NUMBER 


NUMBER 


NUMBER 


NUMBER 


NUMBER. 


NUMBER 


A-2 
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LENGTH 


 BITC32) 
BIT(24) 


BITC8) 


nea RECORD. SIZED 


B1T(32)_ 
BIT(24) 


BIT(B) 


—BITCSTR. RECORD«SIZE) 


rer. 


BIT(24) 

 BITCB) 

—BITCSTR.« DATAsSIZE) 
BITCSTR.DATA.SIZE) 


BIT(32) 


BIT(24) 


BITC12) 


BITCSTRe RECOFD. STZE) 


BITC32) 
BITC24) 


BIT (12) 


é BITCSTR. RECORD. SIZED 


BITC32)_ 
BIT(24) 
BIT(24) 


BIT(24) 


~—BITC32)— 


BITC24) 


— BITG12) 7 
— BITCSTRKEY.SIZE) 


—«BITCSTREKEY. SIZE) 
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IYPE & MEANING CONTENTS LENGTH 
BLGCK CONTROL FIELDS: 
a32a -- SET | PREVIOUS AUDIT SERIAL NUMBER BITC32) 
BLOCK TYPE © BLOCK LOGICAL ADDRESS | BITC24) 
te Bock Tyee BIT(2) 
NEW BLOCK TYPE BITC2) 
2319 -- CHANGE PREVIOUS AUDIT SERIAL NUMBER  81TC(32) 
TABLE NEXT. BLOCK LOGICAL ADORESS = ~~ BITC24). 
Page OLD TABLE NEXT BIT(24) 
NEW TABLE: NEXT. BIT(24) 
a32a -- CHANGE PREVIOUS AUDIT SERIAL NUM3ER © B1T(32) - 
TABLE PRIOR BLOCK LOGICAL ADDRESS BITC24) — 
| OLG TABLE PRIOR — BIT(24)_ 
NEW TABLE PRIOR —BITC24) 
2339 -~ SET = PREVIOUS AUDIT SERIAL NUMBER BITC32)__ 
TABLE NEXT &  8LUCK LOGICAL ADDRESS BIT(24)_ 
PRIOK OLD TABLE NEXT. BITC24) 
— OLC TABLE PRIOR — BITC24) 
NEW TABLE NEXT. — -BITC24) 
NEW TABLE PRIOR — BIT(24) 
LIST: 
aha == BEFORE PREVIOUS AUDIT SERIAL NUMBER  81T(32) 
IMAGE GF BLOCK LOGICAL ADDRESS BIT(24) 
CONTROLINFG LIST TABLE NUMBER BIT(B) 
oot ‘OLOCONTROLINEG BITC(72) 
— a4la == AFTER PREVIGUS AUDIT SERIAL NUMBER  BITC32)_ 
IMAGE CF BLOCK LOGICAL ADDRESS —BITC24) 
CONTROLINFG LIST TASLE NUMBER BITCa) 


BIT(72), 


As 
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TYPE & MEANING CONTENTS LENGTH 
a42a -- INSERT PREVIGUS AUDIT SERIAL NUMBER  B8IT(32)— 
LIST RECORD. LOCK LOGICAL ADDRESS «BITC24) 
2 LIST TASLE NUMBER BITCa) 
LIST RECOREC NUMBER | — BITCB). 
NEW RECORD | «BITCSTR. ENTRY. +SIZE) 
d43a -- REMOVE PREVIOUS AUDIT SERIAL NUMBER BIT(32). 
LIST RECORD BLOCK LOGICAL ADDRESS | BITC24) 
Pe | LIST TABLE NUMBER BITC8) 
LIST RECORD NUMBER BITC8) | : 
OL RECORD ~ 7 SUTCSTRs ENTRY.SIZE) | 
a449 -- REMOVE PREVIOUS AUDIT SERIAL NUMBER BITC32) 
— LIST RECORD BLOCK LOGICAL ADDRESS |. ®BI1TC24) 
AND DELETE. LIST TABLE NUMBER BT TCR) 7 7 
| OLC CONTROLINFO & OLD RECORD BITC(72 # STRLENTRY 
_ | | SIZE | 
2454 -- STORE PREVIOUS AUDIT SERIAL NUMBER BITC32) 
LIST TABLE AND BLOCK LOGICAL ADDRESS — BITC(24) 
INSERT LIST = LIST TABLE NUMBER Ho BIT(8) 
RECORD NEW CONTROLINFC & NEW RECORD (BITCr2 + STR. ENTRY. 
a : 7 | (© SIZE) <a 
a462a -- CHANGE PREVIOUS AUDIT SERIAL NUMBER. BITC32) 
LIST RECORD = BLUCK LOGICAL ADDRESS BIT(24) 
| | LIST TABLE NUMBER | BIT(12) 
LIST RECORD NUMBER - BITC8) 
 OLO RECORD  BITCSTR.DATA.-SIZE) 
— NEW RECORD — BITCSTR.DATA.SIZE) | 
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IYPE & MEANING ‘CONTENTS —— 7 _ LENGIH 
LIST HEAD: at | 


Note? The arene record is being audited 


PREVIOUS AUDIT SERIAL NUMSER- 


NEW NEXT AVAILABLE 


BITC32) 


Vag oa 2s LIST 
HEAD AFTER BLOCK LOGICAL ADDRESS RITC24)_ 
— IMAGE | DATA RECORD NUMBER CPARENT ~—BITC12) 
or rn IS A DATA SET) OR | | 
LIST TABLE NUMBER CPARENT. 
IS A LIST) | 7 - 
EMBEDDED LIST HEAD OFFSET  81TC(16) 
FILLER (VALUE=0) (PARENT TS BITCa) | 
A DATA SET) OR- | 
LIST RECORD NUMBER (PARENT 
IS A LIST) | ee ed —— 
NEW LIST HEAD — BITC64) |” 
a519 -- LIST | PREVIOUS. AUDIT SERIAL NUMBER — BITC32) | 
HEAD BEF ORE | BLOCK LOGICAL ADDRESS BITC24) 
IMAGE DATA RECORD NUMBER (PARENT. BIT(12) 
| IS A DATA SET) OR | | | 
LIST TABLE NUMBER CPARENT 
IS A LIST) : | | | 
EMBEDDED LIST HEAD OFFSET ~BITC16) | 
FILLER (VALUE=9) CPARENT ITS  BITC8) 
DATA SET) OR 
LIST RECORD NUMBER (PARENT. 
IS A LIST) | _ 
OLD LIST HEAD BITC64) | 
RECORD ALLOCATION? | 
a60a -- UPDATE PREVIGUS AUDIT SERIAL NUMBER BITC32) . 
NEXT AVAILABLE  8LOCK LOGICAL ADDRESS’ © BITC24) 
AND HIGHEST  « QLD NEXT AVAILABLE ©  B1TC32) 
OPENED NEW NEXT AVAILABLE ~—6BITC32) 
a612 -~ UPDATE PREVIOUS AUDIT SERIAL NUMBER  BITC32) 
NEXT AVAILABLE BLOCK LOGICAL ADDRESS | BITC24) 
| OLD NEXT AVAILABLE | BIT(32) 


BITC32) 


BURRCUGHS CORPORATION. 
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IYPE & MEANING 


a62a “- RETURN 


NEXT AVAILABLE 


) 3632, -- OPEN 
NEW AREA | 


INDEX 


702 -= INSERT 
INTO FRONT OF 
TABLE 


dfiad -- 
INTO BACK OF. 
TABLE 


3724 -- 


EF RGM FRONT OF 
TABLE 
49734 <= REMOVE 


FROM BACK OF 
TABLE — 


- NUNBER OF 


SPLITS & 


INSERT 


REMOVE 


“cONTENTS 


PREVINUS AUDIT SERIAL NUMBER 
BLOCK LOGICAL ADDRESS a 
NEW NEXT: AVAILABLE 
OLD NEXT AVAILABLE 


AREA: NUMBER 


COMBINES: 


PREVIQUS AUDIT. SERIAL NUMBER 
- BLOCK LQGICAL ADDRESS | 
NUMBER OF ENTRIES TO ‘MOVE 

SPLIT ENTRIES | 


NUMBER Fema 10 vor 


PREVIOUS AUDIT SERIAL NUMBCR 


BLOCK LOGICAL ADDRESS 
NUMBER OF ENTRIES TO MOVE 
SPLIT ENTREES 


NUMBER CF ENTRIES TO MOVE. 


PREVIOUS AUDIT SERIAL ‘wiinee 


BLOCK LOGICAL ADDRESS 


NUMBER OF ENTRIES TO MOVE 


SPLIT ENTRIES 


NUMBER OF ENTRIES TO HONE 


PREVIOUS AUDIT SERIAL. NUMBER 
BLOCK LOGICAL ADDRESS 


NUMBER OF ENTRIES TO MOVE 


COMBINE ENTRIES 


ENTRIES TO MOVE 


oa ENTRIES TO 


A-6 
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Seas 


BIT(C32) 


BiT€24) 
BIT(32) 
BITC32) 


—BITCB) 


BITC32) 


BITC24) 
 BITC12) a 
BITC# ENTRIES TO MOVE 


* STR. RECORD. SIZE). 


oa BITC12) 


BITC32) 
BIT(24) 


~—BITC12) 3 
—BITC# ENTRIES TO MOVE 


® STR.RECORD. SIZE) 
BIVChe) : 


selsdiee 
— BITC24) 


BITC12) os 
MOVE 
STR«RECORD.SIZE) 


“srra) 


BIT(32) 


BITC24) — 
BIT(12) | | : : 
BITC# ENTRIES TO MOVE 

* STRRECORO. SIZE) 


“BITCL2) 


Bel 
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“APPENDIX 83 SAMPLE ous nese 


The following is a ‘eieteton of a sample ‘DASDL for a data base 
using Audit and Recovery? os 


(100 TRANSACTIONS» | 


PARAMETERS CSYNCPOINT. | 
| 106 SYNCPOINTS)3 | 


CONT ROLPOINT 
OPTIONS CAUDTT)s 


won. 


RE STARTAREAS restart- as eae set 

| , ( 

TC "TRANSACTION COUNTER BUMPED BY ONE ‘DURING EACH 
TRANSACTION BY. THE USER PROGRAM® | | 

NUMBER (6) | | 


ALPHAID "UNIQUE ID FOR EACH PROGRAM" 
ALPHA (1805 


USERINFO 


"INFO PROGS NEED TO RESTART" 
ALPHA €240)5— 7 


RESTARTSET SET OF RESTARTAREAS | 
| ROY ‘qs CALPHAID)? oo 


AUDIT. TRAILG ee _ 
FAMILYNAME = AUDITPACK»> | a. 
AREAS = 19%, AREALENGTH = 5 BLOCKS 
BLOCKSIZE = 3000 BYTES)s | | 


ee 
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APPENDIX Ci SAMPLE PROGRAM 

-_ | ae 
The. Gat ouina, is a skeleton: of a restartable data management 
(COBOL program. The program reads an input’ tape. Each block 
contains enough information to update one member of the data 
management data set PERSCNNEL of data base COMPANYX. The 


updating of one member is a transaction. The. point of restart 
code is to ESrrP the blocks that have anreedy been processed. | 


NOTE: ~ The cards with an a SeSEaeh: (*) in the first column are. 
7 generated from the data base description automatically by 
the COBUL Epeeu ters | | | : 


IDENTIFICATION DIVISION. 


ENVIRONMENT DIVISION. 


- INPUT=QUTPUT SECTION. | 


FILE-CONTROL. | 
SELECT TF ASSIGN TG TAPE. 
SELECT PRINT ASSIGN TO PRINTER. 


- DATA. DIVISION.. 
FILE SECTION. 
FO TF. 

41 BLOCK BUF. 


-DATA=BASE SECTION. 


OB CCMPANYX. 


OL PERSONNEL | INVOKE PERSONNEL. 


& . 

k 

<< | | ee | 

O11 RESTARTAREAS. INVOKE RESTARTAREAS. 

* OL RESTARTAREAS DATA SET. | | i= * 
*  RESTARTSET SET OF RESTARTAREAS KEY 1s ALPHAIC. “3 


* n2- Tc. - PIC 9€6).. 
oe G2 ALPHAID | PIC X€18). 
* 92 USERINFO | PIC X€246). 


WORK ING= STORAGE ‘SECTION. 


C-2 - 
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77 BLOCKSIN | PIC 9€05) COMP-1 VALUE 0. 
77 SKIPNUM — PIC 9(5) COMP-1 VALUE 0. 

: 2 77 BLOCK NUM PIC 9€5) COMP-1 VALUE 9. © 

a — a PIC 905) COMP-1 VALUE 9. 


7 ABORTING | PIC 9€5) COMP=1 VALUE 9. 


io . : ry 


PRUCEDURE DIVISION. 
THEGNLY SECTION. | 


DUMMYLABEL. | | | | 
OPEN INPUT TF. 
OPEN OUTPUT PRINT. 
OPEN UPDATE — COMPANYX 


ON EXCEPTION GO DIE. a oe et 
MOCIFY RESTARTAREAS VIA RESTARTSET AT RESTARTALPHAID = "MYTO" 
ON EXCEPTICN CREATE RESTARTAREAS | | mee. 


MOVE "MYIO™ TO RESTARTALPHAID ELSE GO RESTARTED. 
MAINLOOP. | a oP 
PERFORM READIT. | 

‘GO TO A“TRANSACTION. 


* fe% 9 « o 
DIE. STOP RUN. 
a | | | 


READIT. 


READ TF AT ENO GO CLOSE™ D8. 
~A0OD 1 TN) BLOCK SIN. 


* 


As TRANSACTION. 
~BEGIN@“TRANSACTIUN RESTARTAREAS NO- AUDIT 
ON EXCEPTION IF DMSTATUS CABORT) © 
GO ABORTED ELSE 
GO DIE. | : 
<data base operations to update a neaber of PERSONNEL using 
the information. in ‘BLOCKBUF. > 
“ADD t TO TC. | 
END“TRANSACTIGON | RESTARTAREAS AUDIT. 
ON EXCEPTION GO DIE. 
GC 06 MAINLOOP. 
RESTARTED. | 
MCVE Tc TO I. _ 
MOVE 9 TO BLOCKSIN. | 
PERFORM READIT { TIMES. 
GO. aE Ore 


C-3 
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ABORTED. 


MOVE 1 TO ABORTINGs 
MODIFY RESTARTSET AT 
 RESTARTALPHAID = "MYID" 


ON EXCEPTION IF OMSTATUS CNOTF OUND > CREATE. RESTART AREAS : 
- Go MAINLOOP ELSE GO OIE. : | 


nen TO START OF PROGRAM. 


CLOSE TF RELEASE. 
OPEN INPUT TF. 
GQ TO FESTARTED. 
CLOSE-0B. 
 BEGIN- TRANSACTION RESTARTAREAS NO- AUDIT 
ON EXCEPTION IF DMSTATUSCABORT) GO ABURTED 
ELSE GO OIE. 
DELETE RESTARTAREAS 
ON EXCEPTION GO DIE. 
 ENO*TRANSACTION RESTARTAREAS NO- AUDIT SYNC. 
| GN EXCEPTION GO DIE. 
CLOSE COMPANYX ON EXCEPTION GO ‘DIE. | | | ,*, 
<don't have to worry about ABORT EXEPTION becase sync — 
on previous END=- TRANSACTION prevents neue Out any 
transactions>. 7 
STGP RUN. 


pel 
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APPENDIX Di PROGRAM SHIICHES 


The 3 recovery program uses the program switches for several 
functions. The use of each switch is described below. | . 


SWITCH 12. Any nonzero value causes the recovery program to 
ss ppoduce a printed trace of its operation. This trace 
contains a formatted copy of each record processed» 
the address and data of each data base block read a 
writtens and a notation of each major decision that. 
made or. aver that) ‘Ts started. 


SWITCH 2: Any. nonzero value causes the recovery program to stop 
: | and await user action whenever a major step 1S 


Started. There are four major steps» some of which 
are used in each type of recovery. The four steps 
ares. | : | | a ee 2 


. Le Process the audit trail forward to the end 


2» Process the audit trail forward a. ‘Specified number 
Of syncpoints — 


3. Process the eudee. trail backwara to the. first 
| syncpoint or Sil debates of this audit file 


’ le Skip backward on ‘Chis audit file. inet two 
| controlpoints have been found or the beginning of 
the rhe is reached... 7 | 


SWITCH 32. Any. nonzero value tells the recovery program to ignore 
: a the flag that indicates recovery has already been 
tried. Jt also restricts the integrity checking that 

can be done on dump recovery» partial dump recovery 

and program abort recovery. It should be used only 

when recovery must be restarted. This switch is 

pee cere gane’ only at the ‘Start of recoverye | 


SWITCH 4: “a engl value tells the recovery program that it. 
| _ 9s doting partial dump recovery. This switch should be. 
set only by the MCF. This switch is interrogated only | 
at the start of. recovery. “se be fe Pe ads 


bee 
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SWITCH 5: This switch 1s used in. conjunction with Switch 1 to 


control the printed trace of the. recovery progran. 
Switch 1 -controts the invocation of the traces and 
Switch 5 controls the contents of the trace. meee Gi meee 
Switch 5=0»s then the trace will contain the history of 

the changes to alt structures; if the Switch is 
nonzero» then the user wilt be requested to supply 
(via the SPO) a list of the structures to be. traced. 
This switch as. interrogated only = =§ at the start of — 
recovery. | 


Atl other Switches are not used by the recovery programs. 


Bao 


sae 
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